Huge Data Breach At Health System Leads To Biggest Ever Settlement

One of the nation’s biggest health-care systems has agreed to pay the largest settlement ever by a single entity for potential violations of federal patient privacy law, related to breaches that compromised the electronic data of 4 million patients.

Advocate Health Care Network, which operates 12 hospitals and more than 200 other treatment locations in Illinois, will pay $5.55 million to the U.S. Health and Human Services Department as part of the settlement announced by HHS on Thursday.

Advocate Health Care, which remains under investigation for the data breaches at a subsidiary by the Illinois Attorney General’s office, also will be required to adopt a corrective action plan for its data security. The breaches, two of which involved thefts of computers, occurred at a physicians’ group that is the largest in the Chicago area.

The patient records compromised included people’s names, addresses, dates of birth, credit card numbers with expiration dates, as well as demographic information, clinical information and health insurance information, according to HHS. Advocate Health Care said there “continues to be no indication that the information was misused.”

HHS said the settlement is a result of “the extent and duration of the alleged noncompliance” by Advocate Health Care with the law requiring health providers to adequately safeguard electronic protected health information. Other factors that contributed to the size of the settlement was the large number of patient records involved, and the AG’s ongoing probe, according to HHS.

A spokeswoman for Illinois AG Lisa Madigan, when asked about the status of that probe, said, “We are close to resolving it.”

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said Jocelyn Samuels, director of HHS’s Office for Civil Rights. OCR is responsible for enforcing compliance with HIPAA, the Health Insurance Portability and Accountability Act, the law at play in the case.

According to a resolution agreement signed as part of the settlement, Advocate Health Care reported three separate data breaches that occurred between July and November 2013, involving Advocate Medical Group, a physicians’ group with more than 1,000 doctors.

The first breach occurred early July 15 when four desktop computers containing records of nearly 4 million patients were stolen from an AMG administrative office in Park Ridge, Illinois.

The second breach involved an unauthorized third party getting access to the network of a company that provides billing services to AMG between June 30 and August 15, 2013, which potentially compromised the health records of more than 2,000 AMG patients, according to the agreement.

Then, on Nov. 1, 2013, an unencrypted laptop containing patient records of more than 2,230 people was stolen from a car belonging to an AMG staffer, the agreement said.

Advocate Health Care did not admit to any wrongdoing in the resolution agreement. But HHS’s Office of Civil Rights said that its investigations of the breaches “revealed that Advocate failed” to take a number of steps to safeguard patient data.

Among other things, OCR said Advocate Health Care failed to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities of all of its” electronic patient health information records.

Advocate Health Care also failed to put into place “policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center,” according to OCR.

OCR also faulted Advocate Health Care for not getting satisfactory assurances, in a written contact, that its billing services provider would appropriately safeguard electronic patient records in its possession.

In an emailed statement to CNBC, Advocate Health Care said, “Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities.”

“As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring,” Advocate Health Care said.

“While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts.”

Summary: One of the nation’s biggest health-care systems has agreed to pay the largest settlement ever by a single entity for potential violations of federal patient privacy law, related to breaches that compromised the electronic data of 4 million patients.

Advocate Health Care Network, which operates 12 hospitals and more than 200 other treatment locations in Illinois, will pay $5.55 million to the U.S. Health and Human Services Department as part of the settlement announced by HHS on Thursday.

Advocate Health Care, which remains under investigation for the data breaches at a subsidiary by the Illinois Attorney General’s office, also will be required to adopt a corrective action plan for its data security. The breaches, two of which involved thefts of computers, occurred at a physicians’ group that is the largest in the Chicago area.

Consider the life of a chef on the road. Even when they’re not doing “research” for an upcoming project—trips that are essentially designed for overeating and drinking—they’re still likely seeking the best of what got them into the industry in the first place: damn good food.

The proliferation of low-cost airlines flying out of the U.S. means that it’s now possible to hop to Europe for as low as half the price charged by major carriers, the New York Times writes. But there’s always a trade-off — and it pays to comparison-shop, according to the publication.

Featured Contributors

Chasing snake oil and fad gurus is harmless until your journey of personal discovery becomes a platform for prescribing therapies to complete strangers. Any reasonably diligent venture capital partner should be weighing the risks.

Shkreli — who famously insulted members of Congress earlier this year but refused to testify officially over his own decision to increase the price of a life-saving pill — is now hopping at the chance to defend generic drug manufacturer Mylan.
He may even have opened the door to testify before the House Committee on Oversight and Government Reform, where he previously cited his Fifth Amendment's right to avoid incriminating himself.
"Any chance i can come through this time and actually testify?" he tweeted Thursday in a post directed at the committee's Democrats.
All of this now paves an unlikely new friendship between Shkreli and Mylan CEO Heather Bresch.
Heather Bresch created about $15 billion in value for Mylan in the seven years since she stepped up as president of the company. A big part of that value add came from her talent for repackaging off-the-shelf drugs into bona fide blockbusters.

Donald Trump is talking about Hillary Clinton’s health, as are two doctors who havenever evaluated Clinton. They have apparently diagnosed her with all kinds of ailments using the long disproven Fox-Drudge equation.
This attention on Clinton has renewed some interest in the letter Donald Trump released last year from his personal physician.

Even as doctors enter a medical field with more paying patients under the Affordable Care Act and unprecedented numbers of job opportunities, 25 percent of “newly trained physicians” would still choose another field if they could, according to a new analysis.